nss_vserver is a nss authentication module for linux-vserver powered systems which allows processes running on the host (sshd, getty) to authenticate users that exist on guests.

−

Read about linux-vserver at http://linux-vserver.org/.

+

The module should almost transparently drop in to a modern Linux system: PAM would call its pam_unix module, which would in turn look through the nss modules to complete the process.

−

nss_vserver module allows you to auth users from vservers on host via standard PAM auth. If you want to make user login into their vserver via host, you should also get a bit modified vslogin (originally written by

+

If you want to complete the guest login process, you should also get a modified version of vslogin linked to below. vslogin will pick up after authentication and deliver the user to a shell on his guest.

Note that with nss_vserver you don't need the syncshadows included in the vserverauth tarball.

−

With using nss_vserver you not needed in syncshadows daemon from vserverauth.tar.gz -- only vslogin

+

== Why would I use it? ==

−

== How to build and install? ==

+

Using nss_vserver and vslogin you could run a single instance of sshd on the host. This host-based server would verify the credentials of a user on a guest and then vslogin would take care of presenting the user a guest-based shell.

−

On linux, just run

+

== Installation Instructions ==

−

<code>

+

1. Get the appropriate version. On x86 versions you need to use the pthread version, on amd64 (and possible x86_64) you need the cthreads version (listed as nss_vserver_64). Also, on amd64 it's in /lib/, not in /lib/tls/.

−

make install

+

2. On linux, just run

+

make install

−

</code>

+

* Note: on recent kernels test passes, but you unable to login via ssh. To fix that problem:

−

After, try to run

+

2.1. edit /etc/nsswitch.conf, remove "vserver" from "group:" line

−

<code>

+

2.2. Add into /etc/group line "vserver:x:9999:"

−

+

−

make test

+

−

+

−

</code>

+

+

3. After, try to run

+

make test

To see if it works.

To see if it works.

Line 35:

Line 34:

Just run

Just run

−

<code>

+

make uninstall

−

make uninstall

+

== Use with vslogin ==

−

</code>

+

After you have installed module, (and have vslogin copied to /sbin/ and suid-root) you are ready: try to login into a guest, say one named "test" with user "user", by loggin in into the host with username "test-user" or "user@test." You should find yourself logged into the guest.

−

== How to use it? ==

+

Note: vslogin requires vservers root too be at /vservers, so make it as symlink to your location. For example, for debian systems need to do

+

ln -s var/lib/vservers /vservers

−

After you have installed module, put vslogin to /sbin/, make it suid-root, and you are ready -- try to login into vserver named "test" with user "user" by loggin in into host with username "test-user" or "user@test" -- you should login fine and get into vserver.

+

== Caveats ==

−

WARNING! If you have installed vslogin, NEVER give shell access to your host to users -- any user on host, who able to execute programs and modify environment will be able to log into vservers as anybody he want!

+

=== Security ===

+

WARNING! If you have installed vslogin, NEVER give shell access to your host to users -- any user on host, who able to execute programs and modify environment will be able to log into guests as anybody he wants!

−

== Usernames and vserver names with dashes ==

+

=== Usernames and guest names with dashes ===

−

Avoid using usernames or vserver names with dashes.

+

Avoid using usernames or guest names with dashes.

−

Because current version try only one configuration while searching for user in vserver db.

+

The current version only tries one configuration while searching for the user in guest databases, which can cause problems:

−

User "abc" on vserver "efg-hij" when written as "abc@efg-hij" will work fine, while "efg-hij-abc" will be threated as user "hij-abc" on vserver "efg".

+

* User "user" on guest "ser-ver" when written as "user@ser-ver" will work fine, while "ser-ver-user" will be threated as user "ver-user" on vserver "ser".

+

* User "us-er" on guest "server" when written as "guest-us-er" will work fine, while "us-er@guest" will be threated as user "er@guest" on vserver "us".

−

User "abc-def" on vserver "efg" when written as "efg-abc-def" will work fine, while "abc-def@efg" will be threated as user "def@efg" on vserver "abc".

nss_vserver is a nss authentication module for linux-vserver powered systems which allows processes running on the host (sshd, getty) to authenticate users that exist on guests.

The module should almost transparently drop in to a modern Linux system: PAM would call its pam_unix module, which would in turn look through the nss modules to complete the process.

If you want to complete the guest login process, you should also get a modified version of vslogin linked to below. vslogin will pick up after authentication and deliver the user to a shell on his guest.

Note that with nss_vserver you don't need the syncshadows included in the vserverauth tarball.

Using nss_vserver and vslogin you could run a single instance of sshd on the host. This host-based server would verify the credentials of a user on a guest and then vslogin would take care of presenting the user a guest-based shell.

1. Get the appropriate version. On x86 versions you need to use the pthread version, on amd64 (and possible x86_64) you need the cthreads version (listed as nss_vserver_64). Also, on amd64 it's in /lib/, not in /lib/tls/.

2. On linux, just run

make install

Note: on recent kernels test passes, but you unable to login via ssh. To fix that problem:

After you have installed module, (and have vslogin copied to /sbin/ and suid-root) you are ready: try to login into a guest, say one named "test" with user "user", by loggin in into the host with username "test-user" or "user@test." You should find yourself logged into the guest.

Note: vslogin requires vservers root too be at /vservers, so make it as symlink to your location. For example, for debian systems need to do

WARNING! If you have installed vslogin, NEVER give shell access to your host to users -- any user on host, who able to execute programs and modify environment will be able to log into guests as anybody he wants!